I noticed this note, which I thought was odd: http://listarchives.libreoffice.org/global/users/msg35699.html
I'm hoping this is just a confusion, but we do need to be careful to avoid confusion in this area, since it can cause users to panic. The facts, as I understand them: There are two features in OpenOffice (and in LibreOffice and Microsoft Office) that users refer to when they talk about passwords: 1) Password protected encrypted documents 2) Password protected sections, cells, read-only files, etc. An encrypted document is as good as your password. We use good, high quality encryption in ODF documents by default. And we use MS Office compatible encryption, which is also good, with Office files. But in practice most users have far weaker passwords than they should. The context of a password protected file is much more vulnerable than a website password. A typical website will allow you to attempt a log in 3 or 5 times before locking you out for an hour or more. But someone who has your encrypted document can attempt to guess the password without any such restriction. They can run sophisticated programs, standalone password crackers, with GPU hardware acceleration to attempt billions of passwords. So a casual password of 6 alphanumeric characters will be quickly broken. So given the context users should be using longer, more complex passwords. Of course, that makes it more likely that they will forget the password and show up on the forums when they forget. However you look at it, document-based passwords are a 1985 solution to a problem that is better solved today in other ways. As for the protected sections, we should all know that these are "honor system" protection mechanisms, essentially child safety locks, and offer no real cryptographic protection. This is true in MS Office is well. The feature is there to help the user define sections that they don't want accidentally deleted, but the password protection can be trivially defeated in 30 seconds with a text editor and a copy of unzip. This is not a flaw in OpenOffice. This is not a bug. This is how the feature was designed and has been used in Microsoft Office and even 1-2-3 before then. Hopefully we're telling users something that is consistent with what I outlined above. Of course, it is quite possible that many users will not understand this and all they hear is "My password can be broken so OpenOffice is bad". Regards, -Rob --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
